/// <summary> /// Try to get the client id. /// </summary> /// <param name="instruction"></param> /// <returns></returns> public string GetClientId(AuthenticateInstruction instruction) { if (instruction.ClientAssertionType != Dtos.Constants.ClientAssertionTypes.JwtBearer || string.IsNullOrWhiteSpace(instruction.ClientAssertion)) { return(string.Empty); } var clientAssertion = instruction.ClientAssertion; var isJweToken = _jwtParser.IsJweToken(clientAssertion); var isJwsToken = _jwtParser.IsJwsToken(clientAssertion); if (isJweToken && isJwsToken) { return(string.Empty); } // It's a JWE token then return the client_id from the HTTP body if (isJweToken) { return(instruction.ClientIdFromHttpRequestBody); } // It's a JWS token then return the client_id from the token. var payload = _jwsParser.GetPayload(clientAssertion); if (payload == null) { return(string.Empty); } return(payload.Issuer); }
public string GetClientIdFromClientAssertion(AuthenticateInstruction instruction) { if (instruction.ClientAssertionType != "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" || string.IsNullOrWhiteSpace(instruction.ClientAssertion)) { return(string.Empty); } var clientAssertion = instruction.ClientAssertion; var isJweToken = _jwtParser.IsJweToken(clientAssertion); var isJwsToken = _jwtParser.IsJwsToken(clientAssertion); if (isJweToken && isJwsToken) { return(string.Empty); } if (isJweToken) { return(instruction.ClientIdFromHttpRequestBody); } var payload = _jwsGenerator.ExtractPayload(clientAssertion); if (payload == null) { return(string.Empty); } return(payload.GetClaimValue("iss")); }
public async Task <bool> Handle(AuthenticateInstruction authenticateInstruction, OAuthClient client, string expectedIssuer) { if (authenticateInstruction == null) { throw new ArgumentNullException(nameof(authenticateInstruction)); } if (client == null) { throw new ArgumentNullException(nameof(client)); } if (client.Secrets == null) { throw new ArgumentNullException(nameof(client.Secrets)); } var clientSecret = client.Secrets.FirstOrDefault(s => s.Type == ClientSecretTypes.SharedSecret); if (clientSecret == null) { throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.NO_CLIENT_SECRET); } var clientAssertion = authenticateInstruction.ClientAssertion; var isJweToken = _jwtParser.IsJweToken(clientAssertion); if (!isJweToken) { throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.BAD_CLIENT_ASSERTION_FORMAT); } var clientId = authenticateInstruction.ClientIdFromHttpRequestBody; var jws = await _jwtParser.Decrypt(clientAssertion, clientId, clientSecret.Value).ConfigureAwait(false); if (string.IsNullOrWhiteSpace(jws)) { throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.BAD_CLIENT_ASSERTION_DECRYPTION); } var isJwsToken = _jwtParser.IsJwsToken(jws); if (!isJwsToken) { throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.BAD_CLIENT_ASSERTION_FORMAT); } var payload = await _jwtParser.Unsign(clientAssertion, clientId).ConfigureAwait(false); if (payload == null) { throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.BAD_CLIENT_ASSERTION_SIGNATURE); } return(ValidateJwsPayLoad(payload, expectedIssuer)); }
protected async Task <JwsPayload> ExtractHint(string tokenHint, CancellationToken cancellationToken) { if (!_jwtParser.IsJwsToken(tokenHint) && !_jwtParser.IsJweToken(tokenHint)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_IDTOKENHINT); } if (_jwtParser.IsJweToken(tokenHint)) { tokenHint = await _jwtParser.Decrypt(tokenHint, cancellationToken); if (string.IsNullOrWhiteSpace(tokenHint)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_IDTOKENHINT); } } return(await _jwtParser.Unsign(tokenHint, cancellationToken)); }
public virtual async Task <RequestObjectValidatorResult> Validate(string request, BaseClient oauthClient, CancellationToken cancellationToken, string errorCode = ErrorCodes.INVALID_REQUEST_OBJECT) { if (!_jwtParser.IsJwsToken(request) && !_jwtParser.IsJweToken(request)) { throw new OAuthException(errorCode, ErrorMessages.INVALID_REQUEST_PARAMETER); } var jws = request; if (_jwtParser.IsJweToken(request)) { jws = await _jwtParser.Decrypt(jws, cancellationToken); if (string.IsNullOrWhiteSpace(jws)) { throw new OAuthException(errorCode, ErrorMessages.INVALID_JWE_REQUEST_PARAMETER); } } JwsHeader header = null; try { header = _jwtParser.ExtractJwsHeader(jws); } catch (InvalidOperationException) { throw new OAuthException(errorCode, ErrorMessages.INVALID_JWS_REQUEST_PARAMETER); } JwsPayload jwsPayload; try { jwsPayload = await _jwtParser.Unsign(jws, oauthClient, errorCode); } catch (JwtException ex) { throw new OAuthException(errorCode, ex.Message); } return(new RequestObjectValidatorResult(jwsPayload, header)); }
private async Task <AuthorizationRequest> GetAuthorizationRequestFromJwt(string token, string clientId) { var jwsToken = token; if (_jwtParser.IsJweToken(token)) { jwsToken = await _jwtParser.DecryptAsync(token, clientId); } var jwsPayload = await _jwtParser.UnSignAsync(jwsToken, clientId); return(jwsPayload == null ? null : jwsPayload.ToAuthorizationRequest()); }
public async Task <bool> Handle(AuthenticateInstruction authenticateInstruction, BaseClient client, string expectedIssuer, CancellationToken cancellationToken, string errorCode = ErrorCodes.INVALID_CLIENT) { if (authenticateInstruction == null) { throw new ArgumentNullException(nameof(authenticateInstruction)); } if (client == null) { throw new ArgumentNullException(nameof(client)); } if (string.IsNullOrWhiteSpace(client.ClientSecret)) { throw new OAuthException(errorCode, ErrorMessages.NO_CLIENT_SECRET); } var clientAssertion = authenticateInstruction.ClientAssertion; var isJweToken = _jwtParser.IsJweToken(clientAssertion); if (!isJweToken) { throw new OAuthException(errorCode, ErrorMessages.BAD_CLIENT_ASSERTION_FORMAT); } var clientId = authenticateInstruction.ClientIdFromHttpRequestBody; var jws = await _jwtParser.Decrypt(clientAssertion, clientId, client.ClientSecret, cancellationToken); if (string.IsNullOrWhiteSpace(jws)) { throw new OAuthException(errorCode, ErrorMessages.BAD_CLIENT_ASSERTION_DECRYPTION); } var isJwsToken = _jwtParser.IsJwsToken(jws); if (!isJwsToken) { throw new OAuthException(errorCode, ErrorMessages.BAD_CLIENT_ASSERTION_FORMAT); } JwsPayload payload = await _jwtParser.Unsign(clientAssertion, clientId, cancellationToken, errorCode); if (payload == null) { throw new OAuthException(errorCode, ErrorMessages.BAD_CLIENT_ASSERTION_SIGNATURE); } return(ValidateJwsPayLoad(payload, expectedIssuer, errorCode)); }
private async Task <JwsPayload> Extract(string accessToken) { var isJwe = _jwtParser.IsJweToken(accessToken); var isJws = _jwtParser.IsJwsToken(accessToken); if (!isJwe && !isJws) { return(null); } var jws = accessToken; if (isJwe) { jws = await _jwtParser.Decrypt(accessToken); } return(await _jwtParser.Unsign(jws)); }
private async Task <JwsPayload> ExtractPATTokenPayload(CancellationToken cancellationToken) { var token = ExtractAuthorizationValue(); if (string.IsNullOrWhiteSpace(token)) { return(null); } var isJweToken = _jwtParser.IsJweToken(token); var isJwsToken = _jwtParser.IsJwsToken(token); if (isJweToken && isJwsToken) { return(null); } if (isJweToken) { token = await _jwtParser.Decrypt(token, cancellationToken); } return(await _jwtParser.Unsign(token, cancellationToken)); }
protected async Task <bool> CheckRequest(HandlerContext context, string request) { var openidClient = (OpenIdClient)context.Client; if (!_jwtParser.IsJwsToken(request) && !_jwtParser.IsJweToken(request)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_REQUEST_PARAMETER); } var jws = request; if (_jwtParser.IsJweToken(request)) { jws = await _jwtParser.Decrypt(jws); if (string.IsNullOrWhiteSpace(jws)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_JWE_REQUEST_PARAMETER); } } JwsHeader header = null; try { header = _jwtParser.ExtractJwsHeader(jws); } catch (InvalidOperationException) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_JWS_REQUEST_PARAMETER); } if ( (!string.IsNullOrWhiteSpace(openidClient.RequestObjectSigningAlg) && header.Alg != openidClient.RequestObjectSigningAlg) || (string.IsNullOrWhiteSpace(openidClient.RequestObjectSigningAlg) && header.Alg != NoneSignHandler.ALG_NAME) ) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_SIGNATURE_ALG); } var jwsPayload = await _jwtParser.Unsign(jws, context.Client); if (jwsPayload == null) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_JWS_REQUEST_PARAMETER); } if (!jwsPayload.ContainsKey(OAuth.DTOs.AuthorizationRequestParameters.ResponseType)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.MISSING_RESPONSE_TYPE_CLAIM); } if (!jwsPayload.ContainsKey(OAuth.DTOs.AuthorizationRequestParameters.ClientId)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.MISSING_CLIENT_ID_CLAIM); } if (!jwsPayload[OAuth.DTOs.AuthorizationRequestParameters.ResponseType].ToString().Split(' ').OrderBy(s => s).SequenceEqual(context.Request.Data.GetResponseTypesFromAuthorizationRequest())) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_RESPONSE_TYPE_CLAIM); } if (jwsPayload[OAuth.DTOs.AuthorizationRequestParameters.ClientId].ToString() != context.Client.ClientId) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_CLIENT_ID_CLAIM); } context.Request.SetData(JObject.FromObject(jwsPayload)); return(true); }
private async Task ProcessIdTokenHint( ActionResult actionResult, AuthorizationParameter authorizationParameter, ICollection <PromptParameter> prompts, ClaimsPrincipal claimsPrincipal, string issuerName) { if (!string.IsNullOrWhiteSpace(authorizationParameter.IdTokenHint) && prompts.Contains(PromptParameter.none) && actionResult.Type == TypeActionResult.RedirectToCallBackUrl) { var token = authorizationParameter.IdTokenHint; if (!_jwtParser.IsJweToken(token) && !_jwtParser.IsJwsToken(token)) { throw new IdentityServerExceptionWithState( ErrorCodes.InvalidRequestCode, ErrorDescriptions.TheIdTokenHintParameterIsNotAValidToken, authorizationParameter.State); } string jwsToken; if (_jwtParser.IsJweToken(token)) { jwsToken = await _jwtParser.DecryptAsync(token); if (string.IsNullOrWhiteSpace(jwsToken)) { throw new IdentityServerExceptionWithState( ErrorCodes.InvalidRequestCode, ErrorDescriptions.TheIdTokenHintParameterCannotBeDecrypted, authorizationParameter.State); } } else { jwsToken = token; } var jwsPayload = await _jwtParser.UnSignAsync(jwsToken); if (jwsPayload == null) { throw new IdentityServerExceptionWithState( ErrorCodes.InvalidRequestCode, ErrorDescriptions.TheSignatureOfIdTokenHintParameterCannotBeChecked, authorizationParameter.State); } if (jwsPayload.Audiences == null || !jwsPayload.Audiences.Any() || !jwsPayload.Audiences.Contains(issuerName)) { throw new IdentityServerExceptionWithState( ErrorCodes.InvalidRequestCode, ErrorDescriptions.TheIdentityTokenDoesntContainSimpleIdentityServerAsAudience, authorizationParameter.State); } var currentSubject = string.Empty; var expectedSubject = jwsPayload.GetClaimValue(Jwt.Constants.StandardResourceOwnerClaimNames.Subject); if (claimsPrincipal != null && claimsPrincipal.IsAuthenticated()) { currentSubject = claimsPrincipal.GetSubject(); } if (currentSubject != expectedSubject) { throw new IdentityServerExceptionWithState( ErrorCodes.InvalidRequestCode, ErrorDescriptions.TheCurrentAuthenticatedUserDoesntMatchWithTheIdentityToken, authorizationParameter.State); } } }